How detailed should the record of processing activities be in kindergartens? Could you provide specific examples regarding the scope of data and processing activities in relation to a kindergarten pupil?

ANSWER

The level of detail of the record of processing activities depends on the controller. It is essential that the register contains the elements indicated in Article 30(1) GDPR, including:

• the contact details of the controller and, where applicable, of the joint controllers, the controller's representative and the data protection officer;
• the purposes of the processing;
• a description of the categories of data subjects and of the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that country or organisation and the documentation of suitable safeguards;
• where possible, the envisaged time limits for erasure of the different categories of data;
• where possible, a general description of the technical and organisational security measures.

The controller decides on the scope of data collected, as it is the controller who determines the purposes and means of processing. Furthermore, the scope and specificity of activities may depend on sector-specific regulations, such as education law. We encourage you to read the guide "Personal data protection in schools and educational institutions", prepared by UODO and the Ministry of Education and Science, which may be helpful in this regard.